Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4a1f94297f534d30…

MALICIOUS

Office (OOXML)

20.2 KB Created: 2017-10-27 22:23:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2018-06-14
MD5: 2d9619a452fe9c54e2d281e42a86f3de SHA-1: e710e79f7dd1ddda4918e60f0fc1587b66b7f960 SHA-256: 4a1f94297f534d3010b0c6b2dc1bff401b1c6e960fc5c90b09a31eab70095f63
110 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell

The sample contains DDE fields that are chained together to execute a command. The decoded command payload indicates the execution of 'c:\Windows\System32\cmd.exe /c taskkill /f winword.exe&powershell.exe', which attempts to terminate Microsoft Word and then execute PowerShell. This indicates an attempt to exploit the DDE functionality for arbitrary command execution.

Heuristics 4

  • Field QUOTE with ASCII-integer command payload critical OOXML_FIELD_QUOTE_ASCII_PAYLOAD
    QUOTE field in word/footer2.xml carries a decimal-ASCII byte sequence that decodes to a shell command referencing cmd
  • Word field-chain (SET/REF) co-located with DDE high OOXML_FIELD_SET_REF_CHAINING
    3 SET/REF variable pair(s) co-occur with DDE field(s) in word/footer2.xml
  • DDE field low OOXML_DDE
    DDE (Dynamic Data Exchange) field found in word/footer2.xml. The command does not reference a known-dangerous executable, but DDE can be abused for code execution.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lokipanelhostingpanel.gq/work/1.exe In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)